From 3f59a91cfb021529b6e2101af34b586b876c7975 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 14 Nov 2022 17:09:41 -0500
Subject: [PATCH] Metadata/style update BitLocker 10

---
 .../bitlocker-management-for-enterprises.md   |  50 +--
 .../bitlocker-network-unlock-faq.yml          |   4 +-
 ...itlocker-overview-and-requirements-faq.yml |  22 +-
 .../bitlocker/bitlocker-overview.md           |  73 ++-
 .../bitlocker-recovery-guide-plan.md          | 422 +++++++++++-------
 5 files changed, 316 insertions(+), 255 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 40381c3bef..c4539837f3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -18,10 +18,7 @@ ms.technology: itpro-security
 
 The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
 
-Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
-
-> [!IMPORTANT]
-> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [ConfigMgr in on-prem scenarios](/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker/) in the future.
+Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
 
 ## Managing domain-joined computers and moving to cloud  
 
@@ -29,6 +26,9 @@ Companies that image their own computers using Configuration Manager can use an
 
 Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
 
+> [!IMPORTANT]
+> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information.
+
 ## Managing devices joined to Azure Active Directory
 
 Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, or Windows 11, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, or Windows 11, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
@@ -96,38 +96,26 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
 
 ## Related Articles
 
-[BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
-
-[Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
-
-[Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
-
-[BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md)
-
-[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
+- [BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
+- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
+- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
+- [BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md)
+- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
 *(Overview)*
-
-[Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
+- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
 *(Policy CSP: See [Security-RequireDeviceEncryption](/windows/client-management/mdm/policy-csp-security#security-policies))*
-
-[BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/)
+- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/)
 
 ### Windows Server setup tools
 
-[Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
-
-[How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
-
-[How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
-
-[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)  
-
-[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-
-[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
+- [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
+- [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
+- [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
+- [BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)  
+- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+- [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
 
 ### PowerShell
 
-[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
-
-[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)
+- [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
+- [Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
index 88967d942d..a9ce4e3c24 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
@@ -31,10 +31,10 @@ sections:
         answer: |  
           BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
           
-          To use Network Unlock, a PIN must be configured for your computer. When your computer isn't connected to the network, you'll need to provide the PIN to unlock it.
+          To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it.
           
           BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before it can be used.
           
-          Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter your PIN. If the PIN isn't available, you'll need to use the recovery key to unlock the computer if it can't be connected to the network.
+          Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network.
           
           For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 39f304e7be..523a647b0c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -34,21 +34,21 @@ sections:
         answer: |
           **How BitLocker works with operating system drives**
           
-          You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
+          BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
           
           **How BitLocker works with fixed and removable data drives**
           
-          You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
+          BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods.
           
       - question: Does BitLocker support multifactor authentication?
-        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
+        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection.
 
       - question: What are the BitLocker hardware and software requirements?
         answer: |
           For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
           
           > [!NOTE]
-          > Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker.
+          > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
            
       - question: Why are two partitions required? Why does the system drive have to be so large?
         answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
@@ -58,27 +58,27 @@ sections:
           BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. 
           
           > [!NOTE]
-          > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
+          > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature.
           > 
-          > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
+          > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI.
           
-      - question: How can I tell if a TPM is on my computer?
-        answer: Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. You can also run [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** in PowerShell to get more details about the TPM on the current computer.
+      - question: How can I tell if a computer has a TPM?
+        answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer.
 
       - question: Can I use BitLocker on an operating system drive without a TPM?
         answer: |
-          Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
+          Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
           To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
           
       - question: How do I obtain BIOS support for the TPM on my computer?
         answer: |
           Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
           
-          - It is compliant with the TCG standards for a client computer.
+          - It's compliant with the TCG standards for a client computer.
           - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
           
       - question: What credentials are required to use BitLocker?
         answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
 
       - question: What is the recommended boot order for computers that are going to be BitLocker-protected?
-        answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 
+        answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked. 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 22d71d965b..a0f5f8c56d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -1,6 +1,6 @@
 ---
 title: BitLocker
-description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
+description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
 ms.author: frankroj
 ms.prod: windows-client
 ms.localizationpriority: medium
@@ -23,46 +23,47 @@ ms.technology: itpro-security
 - Windows 11
 - Windows Server 2016 and above
 
-This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
+This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
 
-## <a href="" id="bkmk-over"></a>BitLocker overview
+## BitLocker overview
 
 BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
 
-BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
+BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline.
 
-On computers that do not have a TPM version 1.2 or later versions, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
+On computers that don't have a TPM version 1.2 or later versions, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, an operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
 
-In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
+In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
 
-## <a href="" id="bkmk-app"></a>Practical applications
+## Practical applications
 
 Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
 
-There are two additional tools in the Remote Server Administration Tools which you can use to manage BitLocker.
+There are two additional tools in the Remote Server Administration Tools that can be used to manage BitLocker.
 
-- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
-    By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.
+- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables the BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS) to be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
+
+    By using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. Additionally, a domain container can be searched for a BitLocker recovery password across all the domains in the Active Directory forest by right clicking on the domain container. Viewing recovery passwords can only be viewed by domain administrator or having delegated permissions by a domain administrator.
 
 - **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
-BitLocker control panel, and they are appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console.
+BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console.
 
-## <a href="" id="bkmk-new"></a>New and changed functionality
+## New and changed functionality
+
+To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in [What's new in Windows 10, versions 1507 and 1511 for IT Pros](/windows/whats-new/whats-new-windows-10-version-1507-and-1511).
 
-To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10."
- 
 ## System requirements
 
 BitLocker has the following hardware requirements:
 
-For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive.
+For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker.
 
-A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware.
+A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware.
 
 The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
 
 > [!IMPORTANT]
-> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
+> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
 
 > [!NOTE]
 > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
@@ -72,34 +73,30 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th
 The hard disk must be partitioned with at least two drives:
 
 - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
-- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
+- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
 
 When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
 
-A partition subject to encryption cannot be marked as an active partition (this applies to the operating system, fixed data, and removable data drives).
+A partition subject to encryption can't be marked as an active partition. This requirement applies to the operating system drives, fixed data drives, and removable data drives.
 
-
-When installing the BitLocker optional component on a server, you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
+When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
 
 ## In this section
 
-| Topic | Description |
+| Article | Description |
 | - | - |
-| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. |
-| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
-| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic explains the procedure you can use to plan your BitLocker deployment. |
-| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic explains how BitLocker features can be used to protect your data through drive encryption. |
-| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic explains how to deploy BitLocker on Windows Server.|
-| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic describes how BitLocker Network Unlock works and how to configure it. |
-| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic describes how to use tools to manage BitLocker.|
-| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic describes how to use the BitLocker Recovery Password Viewer. |
-| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. |
-| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.|
-| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. |
+| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This article provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. |
+| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This article answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
+| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This article explains the procedure you can use to plan your BitLocker deployment. |
+| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This article explains how BitLocker features can be used to protect your data through drive encryption. |
+| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This article explains how to deploy BitLocker on Windows Server.|
+| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This article describes how BitLocker Network Unlock works and how to configure it. |
+| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This article describes how to use tools to manage BitLocker.|
+| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This article describes how to use the BitLocker Recovery Password Viewer. |
+| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This article describes the function, location, and effect of each group policy setting that is used to manage BitLocker. |
+| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.|
+| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. |
 | [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
 | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
-| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.|
-| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic describes how to use BitLocker with Windows IoT Core |
-
-
-
+| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.|
+| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 2dce6b6818..ffac549533 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -26,260 +26,308 @@ ms.custom: bitlocker
 
 This article describes how to recover BitLocker keys from AD DS.
 
-Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment.
+Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
 
-This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
+This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
 
-This article does not detail how to configure AD DS to store the BitLocker recovery information.
+This article doesn't detail how to configure AD DS to store the BitLocker recovery information.
 
+## What is BitLocker recovery?
 
-## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
+BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
 
-BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive:
+- **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain.
 
-- **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
 - **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
-- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
+- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 
 ### What causes BitLocker recovery?
 
 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
 
 - On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
-- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
+
+- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised.
+
 - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
+
 - Failing to boot from a network drive before booting from the hard drive.
-- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
+
+- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it's unlocked. Conversely, if a portable computer isn't connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it's unlocked.
+
 - Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
+
 - Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
-- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.
+
+- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM.
+
 - Turning off, disabling, deactivating, or clearing the TPM.
+
 - Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
+
 - Forgetting the PIN when PIN authentication has been enabled.
+
 - Updating option ROM firmware.
+
 - Upgrading TPM firmware.
+
 - Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.
+
 - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
+
 - Changes to the master boot record on the disk.
+
 - Changes to the boot manager on the disk.
-- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
-- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
+
+- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM doesn't respond to commands from any software.
+
+- Using a different keyboard that doesn't correctly enter the PIN or whose keyboard map doesn't match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
+
 - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
 
     > [!NOTE]
     > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
 
 - Moving the BitLocker-protected drive into a new computer.
+
 - Upgrading the motherboard to a new one with a new TPM.
+
 - Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
+
 - Failing the TPM self-test.
-- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
+
+- Having a BIOS, UEFI firmware, or an option ROM component that isn't compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
+
 - Changing the usage authorization for the storage root key of the TPM to a non-zero value.
 
     > [!NOTE]
     > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
 
 - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
+
 - Pressing the F8 or F10 key during the boot process.
+
 - Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
+
 - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
 
-
 > [!NOTE]
-> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components.
- 
-For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
+> Before beginning recovery, it is recommend to determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if it is determined that an attacker has modified the computer by obtaining physical access, new security policies can be created for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components.
+
+For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
 
 > [!NOTE]
 > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
 
-If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker network unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
+If software maintenance requires the computer to be restarted and two-factor authentication is being used, the BitLocker network unlock feature can be enabled to provide the secondary authentication factor when the computers don't have an on-premises user to provide the additional authentication method.
 
-Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
+Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user.
 
-## <a href="" id="bkmk-testingrecovery"></a>Testing recovery
+## Testing recovery
 
-Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
+Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation.
 
 **To force a recovery for the local computer:**
 
-1. Select the **Start** button, type **cmd** in the **Start Search** box, and select and hold **cmd.exe**, and then select **Run as administrator**.
-2. At the command prompt, type the following command and then press **ENTER**:
+1. Select the **Start** button and type in **cmd**
 
-    `manage-bde.exe -forcerecovery <BitLockerVolume>`
+2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
+
+3. At the command prompt, enter the following command:
+
+    ``` syntax
+    manage-bde.exe -forcerecovery <BitLockerVolume>
+    ```
 
 **To force recovery for a remote computer:**
 
-1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**.
+1. Select the **Start** button and type in **cmd**
 
-2. At the command prompt, type the following command and then press **ENTER**:
+2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
 
-    `manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
+3. At the command prompt, enter the following command:
+
+    ``` syntax
+    manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>
+    ```
 
     > [!NOTE]
     > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
 
+## Planning the recovery process
 
-## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process
-
-When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
+When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: How does the enterprise handle lost Windows passwords? How does the organization perform smart card PIN resets? These best practices and related resources (people and tools) can be used to help formulate a BitLocker recovery model.
 
 Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
 
-After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization.
+After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization.
 
-When you determine your recovery process, you should:
+When the recovery process is determined:
 
-- Become familiar with how you can retrieve the recovery password. See:
+- Become familiar with how a recovery password can be retrieved. See:
 
-    - [Self-recovery](#bkmk-selfrecovery)
-    - [Recovery password retrieval](#bkmk-recoveryretrieval)
+  - [Self-recovery](#self-recovery)
+  - [Recovery password retrieval](#recovery-password-retrieval)
 
 - Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
 
-    - [Post-recovery analysis](#bkmk-planningpostrecovery)
+  - [Post-recovery analysis](#post-recovery-analysis)
 
+### Self-recovery
 
-### <a href="" id="bkmk-selfrecovery"></a>Self-recovery
+In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
 
-In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
+### Recovery password retrieval
 
-### <a href="" id="bkmk-recoveryretrieval"></a>Recovery password retrieval
-
-If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default; you must have configured the appropriate group policy settings before BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
+If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
 
 - **Choose how BitLocker-protected operating system drives can be recovered**
+
 - **Choose how BitLocker-protected fixed drives can be recovered**
+
 - **Choose how BitLocker-protected removable drives can be recovered**
+
 In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD
-DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
+DS** check box if it's desired to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
 
 > [!NOTE]
-> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event of a recovery being required.
- 
+> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of the BitLocker recovery password is recommended to help ensure access to data is not lost in the event of a recovery being required.
+
 The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
 
-You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
+The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
 
-- [Record the name of the user's computer](#bkmk-recordcomputername)
-- [Verify the user's identity](#bkmk-verifyidentity)
-- [Locate the recovery password in AD DS](#bkmk-locatepassword)
-- [Gather information to determine why recovery occurred](#bkmk-gatherinfo)
-- [Give the user the recovery password](#bkmk-givepassword)
+- [Record the name of the user's computer](#record-the-name-of-the-users-computer)
+- [Verify the user's identity](#verify-the-users-identity)
+- [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds)
+- [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred)
+- [Give the user the recovery password](#give-the-user-the-recovery-password)
 
+### Record the name of the user's computer
 
-### <a href="" id="bkmk-recordcomputername"></a>Record the name of the user's computer
+The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer.
 
-You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.
+### Verify the user's identity
 
+The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user.
 
-### <a href="" id="bkmk-verifyidentity"></a>Verify the user's identity
-
-You should verify whether the person who is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify whether the computer for which the user provided the name belongs to the user.
-
-### <a href="" id="bkmk-locatepassword"></a>Locate the recovery password in AD DS
-
-Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.
+### Locate the recovery password in AD DS
 
+Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest.
 
 ### Multiple recovery passwords
 
 If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created.
 
-If at any time you are unsure about the password to be provided, or if you think you might be providing the incorrect password, ask the user to read the 8-character password ID that is displayed in the recovery console.
+To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.
 
 Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
 
+### Gather information to determine why recovery occurred
 
-### <a href="" id="bkmk-gatherinfo"></a>Gather information to determine why recovery occurred
+Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis).
 
-Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery).
+### Give the user the recovery password
 
-
-### <a href="" id="bkmk-givepassword"></a>Give the user the recovery password
-
-Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
+Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password.
 
 > [!NOTE]
 > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
 
-### <a href="" id="bkmk-planningpostrecovery"></a>Post-recovery analysis
+### Post-recovery analysis
 
-When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
+When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
 
-If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See:
+If it's noticed that a computer is having repeated recovery password unlocks, an administrator might want to perform post-recovery analysis to determine the root cause of the recovery, and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. For more information, see:
 
-- [Determine the root cause of the recovery](#bkmk-determinecause)
-- [Refresh BitLocker protection](#bkmk-refreshprotection)
+- [Determine the root cause of the recovery](#determine-the-root-cause-of-the-recovery)
+- [Resolve the root cause](#resolve-the-root-cause)
 
-### <a href="" id="bkmk-determinecause"></a>Determine the root cause of the recovery
+### Determine the root cause of the recovery
 
-If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
+If a user needed to recover the drive, it's important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
 
 While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.
 
-Review and answer the following questions for your organization:
+Review and answer the following questions for the organization:
 
 1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
+
 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
+
 3. If TPM mode was in effect, was recovery caused by a boot file change?
+
 4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software?
+
 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
+
 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
 
-To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely.
+To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode:
 
-### <a href="" id="bkmk-refreshprotection"></a>Resolve the root cause
+``` syntax
+manage-bde.exe -status
+```
 
-After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.
+Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely.
 
-The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
+### Resolve the root cause
+
+After it has been identified what caused recovery, BitLocker protection can be reset to avoid recovery on every startup.
+
+The details of this reset can vary according to the root cause of the recovery. If root cause can't be determined, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
 
 > [!NOTE]
-> You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
+> BitLocker validation profile reset can be performed by suspending and resuming BitLocker.
 
-- [Unknown PIN](#bkmk-unknownpin)
-- [Lost startup key](#bkmk-loststartup)
-- [Changes to boot files](#bkmk-changebootknown)
+- [Unknown PIN](#unknown-pin)
+- [Lost startup key](#lost-startup-key)
+- [Changes to boot files](#changes-to-boot-files)
 
+### Unknown PIN
 
-### <a href="" id="bkmk-unknownpin"></a>Unknown PIN
+If a user has forgotten the PIN, the PIN must be reset while signed on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
 
-If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
-
-**To prevent continued recovery due to an unknown PIN**
+#### To prevent continued recovery due to an unknown PIN
 
 1. Unlock the computer using the recovery password.
+
 2. Reset the PIN:
+
     1. Select and hold the drive and then select **Change PIN**
-    2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time.
+
+    2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time.
+
     3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**.
-3. You will use the new PIN the next time you unlock the drive.
 
-### <a href="" id="bkmk-loststartup"></a>Lost startup key
+3. The new PIN can be used the next time the drive needs to be unlocked.
 
-If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key.
+### Lost startup key
 
-**To prevent continued recovery due to a lost startup key**
+If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created.
+
+#### To prevent continued recovery due to a lost startup key
+
+1. Sign in as an administrator to the computer that has its startup key lost.
 
-1. Log on as an administrator to the computer that has its startup key lost.
 2. Open Manage BitLocker.
-3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then select **Save**.
 
-### <a href="" id="bkmk-changebootknown"></a>Changes to boot files
+3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**.
 
-This error occurs if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
+### Changes to boot files
+
+This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time.
 
 ## Windows RE and BitLocker Device Encryption
 
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
 
-Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
+Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally.
 
-The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
+The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
 
-To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**.
-To activate the on-screen keyboard, tap on a text input control.
+To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. To activate the on-screen keyboard, tap on a text input control.
 
 :::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated.":::
 
@@ -287,26 +335,25 @@ To activate the on-screen keyboard, tap on a text input control.
 
 During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
 
-
 ### Custom recovery message
 
-BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
+BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
 
 This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
 
-It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
-*\<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\</LocURI>*
+It can also be configured using mobile device management (MDM), including in Intune, using the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp):
+
+**`<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>`**
 
 ![Custom URL.](./images/bl-intune-custom-url.png)
 
-Example of customized recovery screen:
+Example of a customized recovery screen:
 
 ![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png)
 
-
 ### BitLocker recovery key hints
 
-BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
 
 ![Customized BitLocker recovery screen.](./images/bl-password-hint2.png)
 
@@ -316,15 +363,22 @@ BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 t
 There are rules governing which hint is shown during the recovery (in the order of processing):
 
 1. Always display custom recovery message if it has been configured (using GPO or MDM).
-2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq."
-3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key.
-4. Prioritize keys with successful backup over keys that have never been backed up.
-5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. 
-6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
-7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date.
-8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed. 
-9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. 
 
+2. Always display generic hint: `For more information, go to https://aka.ms/recoverykeyfaq.`
+
+3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key.
+
+4. Prioritize keys with successful backup over keys that have never been backed up.
+
+5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
+
+6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
+
+7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date.
+
+8. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed.
+
+9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer.
 
 #### Example 1 (single recovery key with single backup)
 
@@ -336,12 +390,10 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Printed          |     No     |
 |     Saved to file    |     No     |
 
-
 **Result:** The hints for the Microsoft account and custom URL are displayed.
 
 ![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png)
 
-
 #### Example 2 (single recovery key with single backup)
 
 |     Custom URL       |     Yes    |
@@ -356,7 +408,6 @@ There are rules governing which hint is shown during the recovery (in the order
 
 ![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png)
 
-
 #### Example 3 (single recovery key with multiple backups)
 
 |     Custom URL       |     No     |
@@ -371,7 +422,6 @@ There are rules governing which hint is shown during the recovery (in the order
 
 ![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png)
 
-
 #### Example 4  (multiple recovery passwords)
 
 |     Custom URL       |     No          |
@@ -401,7 +451,6 @@ There are rules governing which hint is shown during the recovery (in the order
 
 ![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png)
 
-
 #### Example 5  (multiple recovery passwords)
 
 |     Custom URL       |     No          |
@@ -414,9 +463,6 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Creation time    |     **1PM**     |
 |     Key ID           |     99631A34    |
 
-&nbsp;
-&nbsp;
-
 |     Custom URL       |     No        |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
@@ -431,72 +477,83 @@ There are rules governing which hint is shown during the recovery (in the order
 
 ![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png)
 
-
-## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
+## Using additional recovery information
 
 Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
 
-
 ### BitLocker key package
 
-If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.
+If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password.
 
 > [!NOTE]
-> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
+> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package.
 
-The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the group policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
+The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package).
 
-## <a href="" id="bkmk-appendixb"></a>Resetting recovery passwords
+## Resetting recovery passwords
 
-You must invalidate a recovery password after it has been provided and used, and when you intentionally want to invalidate an existing recovery password for any reason.
+It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason.
 
-You can reset the recovery password in two ways:
+The recovery password and be invalidated and reset in two ways:
 
-- **Use manage-bde**: You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
-- **Run a script**: You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
+- **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
 
-**To reset a recovery password using manage-bde:**
+- **Run a script**: A script can be run to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
+
+### Resetting a recovery password using `manage-bde.exe`
 
 1. Remove the previous recovery password.
 
-    ```powershell
-    Manage-bde -protectors -delete C: -type RecoveryPassword
+    ``` syntax
+    `manage-bde.exe` -protectors -delete C: -type RecoveryPassword
     ```
+
 2. Add the new recovery password.
 
-    ```powershell
-    Manage-bde -protectors -add C: -RecoveryPassword
+    ``` syntax
+    `manage-bde.exe` -protectors -add C: -RecoveryPassword
     ```
+
 3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
 
-    ```powershell
-    Manage-bde -protectors -get C: -Type RecoveryPassword
+    ``` syntax
+    `manage-bde.exe` -protectors -get C: -Type RecoveryPassword
     ```
+
 4. Back up the new recovery password to AD DS.
 
-    ```powershell
-    Manage-bde -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
+    ``` syntax
+    `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
     ```
 
     > [!WARNING]
-    > You must include the braces in the ID string.
+    > The braces `{}` must be included in the ID string.
 
-**To run the sample recovery password script:**
+### Running the sample recovery password script to reset the recovery passwords
 
-1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
-2. At the command prompt, type a command similar to the following:
+1. Save the following sample script in a VBScript file. For example:
 
-    **cscript ResetPassword.vbs**
+    `ResetPassword.vbs`.
+
+2. At the command prompt, enter the following command::
+
+    ``` syntax
+    cscript.exe ResetPassword.vbs
+    ```
 
     > [!IMPORTANT]
-    > This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
+    > This sample script is configured to work only for the C volume. If necessary, customize the script to match the volume where the password reset needs to be tested.
 
 > [!NOTE]
-> To manage a remote computer, you must specify the remote computer name rather than the local computer name.
+> To manage a remote computer, specify the remote computer name rather than the local computer name.
 
-You can use the following sample VBScript to reset the recovery passwords:
+The following sample VBScript can be used to reset the recovery passwords:
 
-```vb
+<br>
+<details>
+  <summary>Expand to view sample recovery password VBscript to reset the recovery passwords</summary>
+
+``` vb
 ' Target drive letter
 strDriveLetter = "c:"
 ' Target computer name
@@ -564,29 +621,38 @@ Next
 WScript.Echo "A new recovery password has been added. Old passwords have been removed."
 ' - some advanced output (hidden)
 'WScript.Echo ""
-'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
+'WScript.Echo "Type ""manage-bde.exe -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
 ```
 
+</details>
 
-## <a href="" id="bkmk-appendixc"></a>Retrieving the BitLocker key package
+## Retrieving the BitLocker key package
 
-You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
+Two methods can be used to retrieve the key package as described in [Using Additional Recovery Information](#using-additional-recovery-information):
 
-- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
-- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
+- **Export a previously saved key package from AD DS.** Read access is required to BitLocker recovery passwords that are stored in AD DS.
 
-The following sample script exports all previously saved key packages from AD DS.
+- **Export a new key package from an unlocked, BitLocker-protected volume.** Local administrator access to the working volume is required before any damage occurred to the volume.
 
-**To run the sample key package retrieval script:**
+### Running the sample key package retrieval script that exports all previously saved key packages from AD DS
 
-1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
-2. At the command prompt, type a command similar to the following sample script:
+The following steps and sample script exports all previously saved key packages from AD DS.
 
-    **cscript GetBitLockerKeyPackageADDS.vbs -?**
+1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackageADDS.vbs`.
 
-You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS:
+2. At the command prompt, enter a command similar to the following sample script:
 
-```vb
+    ``` syntax
+    cscript.exe GetBitLockerKeyPackageADDS.vbs -?
+    ```
+
+The following sample script can be used to create a VBScript file to retrieve the BitLocker key package from AD DS:
+
+<br>
+<details>
+  <summary>Expand to view sample key package retrieval VBscript that exports all previously saved key packages from AD DS</summary>
+
+``` vb
 ' --------------------------------------------------------------------------------
 ' Usage
 ' --------------------------------------------------------------------------------
@@ -724,16 +790,25 @@ End Function
 WScript.Quit
 ```
 
-The following sample script exports a new key package from an unlocked, encrypted volume.
+</details>
 
-**To run the sample key package retrieval script:**
+### Running the sample key package retrieval script that exports a new key package from an unlocked, encrypted volume
 
-1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs
-2. Open an administrator command prompt, and then type a command similar to the following sample script:
+The following steps and sample script exports a new key package from an unlocked, encrypted volume.
 
-    **cscript GetBitLockerKeyPackage.vbs  -?**
+1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackage.vbs`
 
-```vb
+2. Open an administrator command prompt, and then enter a command similar to the following sample script:
+
+    ``` syntax
+    cscript.exe GetBitLockerKeyPackage.vbs  -?
+    ```
+
+<br>
+<details>
+  <summary>Expand to view sample VBscript that exports a new key package from an unlocked, encrypted volume</summary>
+
+``` vb
 ' --------------------------------------------------------------------------------
 ' Usage
 ' --------------------------------------------------------------------------------
@@ -826,7 +901,7 @@ End If
 ' Fail case: no recovery key protectors exist.
 If strDefaultKeyProtectorID = "" Then
 WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
-WScript.Echo "For help adding recovery passwords or recovery keys, type ""manage-bde -protectors -add -?""."
+WScript.Echo "For help adding recovery passwords or recovery keys, enter ""manage-bde.exe -protectors -add -?""."
 WScript.Quit -1
 End If
 End If
@@ -886,7 +961,7 @@ End If
 WScript.Echo "Save this recovery password: " & sNumericalPassword
 ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then
 WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
-WScript.Echo "For help re-saving this external key file, type ""manage-bde -protectors -get -?"""
+WScript.Echo "For help re-saving this external key file, enter ""manage-bde.exe -protectors -get -?"""
 End If
 '----------------------------------------------------------------------------------------
 ' Utility functions to save binary data
@@ -911,7 +986,8 @@ Function BinaryToString(Binary)
 End Function
 ```
 
+</details>
 
-## See also
+## Related articles
 
 - [BitLocker overview](bitlocker-overview.md)